Clinton Email Server Vulnerable for 3 Months: Venafi

Access to the personal email server used by former U.S. Secretary of State Hillary Clinton was not encrypted or authenticated by a digital certificate for the first three months of her term,research from security firm Venafi has found.

Clinton's use of a private email address for work as secretary of state has been the source of controversy recently. During a press conference at the United Nations this week, she said she used the email for "convenience" because she thought it would be easier to carry one device for her work and personal emails instead of two.

Clinton said she gave the State Department about 55,000 pages worth of emails that she sent and received with the private server for review. The remaining emails covered non-work issues such as yoga and wedding plans for her daughter, she said, and were deleted.

According to Venafi, questions have been raised about the security of Clinton's personal email. Using its TrustNet certificate reputation service, Venafi found that at least three digital certificates were used with clintonemail.com since 2009. The certificates were obtained validly and enabled web-based encryption for applications.

"Based on TrustNet analyst, Venafi can conclude clintonemail.com was enabled for browser, smartphone, and tablet encryption since 2009 and can operate using encryption through at least 2018," blogged Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. "However, for the first 3 months of Secretary Clinton’s term, access to the server was not encrypted or authenticated with a digital certificate. During this time, Secretary Clinton travelled to China, Egypt, Israel, South Korea and other locations outside the U.S."

"Starting in late March 2009, mail.clintonemail.com was enabled with a Network Solutions’ digital certificate and encryption for web-based applications like Outlook Web Access. This was 3 months after Secretary Clinton took office," he continued. "The clintonemail.com domain was registered with Network Solutions in January 2009 – 8 days before Secretary Clinton was confirmed by the U.S. Senate. Therefore, from January to end of March 2009 access to clintonemail.com did not use encryption."

Once the digital certificate was installed in March 2009, all access with a desktop web browser, smartphone or tablet was encrypted, even on government networks designed to inspect traffic, he blogged.

"Clintonemail.com operated for 3 months without a digital certificate," Bocek blogged. "This means that during the first 3 months of Secretary Clinton’s term in office, web browser, smartphone, and tablet communications would not have been encrypted. Attackers could have eavesdropped on communications. As well, the server would not have been uniquely identified...and therefore could have been spoofed – allowing attackers to more easily trick an unsuspecting user of the site to hand over their username and password or other sensitive information."

According to a study released today by the Ponemon Institute, the number of keys and certificates deployed on infrastructure such as web servers, network appliances and cloud services jumped more than 34 percent to almost 24,000 per enterprise. Fifty-four percent of the 2,371 IT security professionals surveyed admitted they do not know where all their keys and certificates are located.

"With the rising tide of attacks on keys and certificates, it’s important that enterprises really understand the grave financial consequences," said Larry Ponemon, founder of the Ponemon Institute, in a statement. "We couldn’t run the world’s digital economy without the system of trust they create. This research is incredibly timely for IT security professionals everywhere – they need a wake-up call like this to realize they can no longer place blind trust in keys and certificates that are increasingly being misused by cybercriminals."